The 2017 Com­bined Indus­tries Theft Solu­tions Con­fer­ence, organ­ised by Faye Coton, aimed to high­light the on going issues of theft and fraud with­in the con­struc­tion, indus­tri­al and agri­cul­tur­al sec­tors. The con­fer­ence, Fraud, the Ele­phant in the Room, fea­tured speak­ers from the police, The Home Office and over 6 oth­er experts in their field. Over 120 del­e­gates met in the RBS Con­fer­ence Cen­tre in Lon­don for the unique event, which includ­ed an exhi­bi­tion from secu­ri­ty providers includ­ing NWM client Datatag ID Lim­it­ed.

This report by Con­tent Live gives an excel­lent sum­ma­ry of the con­fer­ence!

At a recent event host­ed by the Com­bined Indus­tries Theft Solu­tions, atten­dees looked beyond the famil­iar threat of plant theft to the evolv­ing men­ace of fraud.
The Com­bined Indus­tries Theft Solu­tions (CITS) is a not-for-prof­it body from across the con­struc­tion plant indus­try that seeks to tack­le the prob­lem of plant theft. At its recent con­fer­ence, how­ev­er, it explored how com­pa­nies in the sec­tor could com­bat the ris­ing threat of fraud, an ever-chang­ing per­il that is fac­ing all indus­tries.
David Smith, CITS chair­man, explained how the theft threat had changed from phys­i­cal to cyber. “We can all recall when oppor­tunis­tic thieves could eas­i­ly steal a con­struc­tion machine because it had lit­tle secu­ri­ty to pro­tect it,” he said. “Indus­try demand­ed an improve­ment and it came.· Today, thanks to more effec­tive secu­ri­ty devices and polic­ing meth­ods, the num­ber of thefts is reduc­ing. “It is still too high and recov­ery rates are improv­ing but we must not become com­pla­cent; he added.
Smith explained that the prob­lem had evolved: the indus­try has wit­nessed a rise in fraud and
attempt­ed fraud. This ranges from an oppor­tunist attempt­ing iden­ti­ty fraud, to a dis­grun­tled staff mem­ber pass­ing on com­pa­ny pro­to­cols to a crim­i­nal gang, or a gang send­ing emails that con­tain
mal­ware to extort mon­ey.
“All it takes to suc­ceed is for the recip­i­ent to have a momen­tary lapse of con­cen­tra­tion, to inad­ver­tent­ly tap a com­put­er Key, ask an obvi­ous ques­tion or car­ry out a rudi­men­ta­ry check,” he said. ‘The out­come can be dev­as­tat­ing.”
The chang­ing face of crime
Steve Rod­house, deputy assis­tant com­mis­sion­er at the Met­ro­pol­i­tan Police, was on hand to quan­ti­fy the dan­ger. The recent Wan­naCry cyber attack showed such crim­i­nal­i­ty could result in finan­cial loss, threat­en rep­u­ta­tion and endan­ger the con­fi­den­tial data of the com­pa­ny under attack as well as its sup­ply chain.
“The threats from fraud and cyber­crime are gen­uine­ly exis­ten­tial threats to com­pa­nies,· he empha­sised. “They are new and dri­ven by the tech­nol­o­gy that per­vades every­thing we do today.”
Report­ed fraud (and Rod house believes it is mas­sive­ly under­re­port­ed) far out­weighs tra­di­tion­al crimes such as bur­glary. The scale of the threat means it can­not be beat­en by track­ing and arrest­ing the cul­prits, who often work remote­ly in areas where they can­not be touched. The focus must be on rais­ing aware­ness.
“It has to be a joined-up effort,” Rod­house added. “It is impor­tant to report any fraud or attempt­ed fraud as it helps us under­stand the threats and build solu­tions. Our biggest chal­lenge is Keep­ing up with tech­nol­o­gy.”
The Home Office esti­mates that seri­ous and organ­ised crime costs the UK at least £24bn a year. The Office for Nation­al Sta­tis­tics esti­mates that, in the year end­ing June 2017, there were 3.3m fraud offences, of which 1.9m were cyber relat­ed, and an addi­tion­al 1.6m inci­dents of ·com­put­er mis­use·. It is not pos­si­ble for any one body or organ­i­sa­tion to tack­le the entire­ty of fraud and it requires a multi­agency, mul­ti-part­ner­ship response.

“All it takes is for the recip­i­ent to have a momen­tary lapse of con­cen­tra­tion, to inad­ver­tent­ly tap a com­put­er key, and the out­come can be dev­as­tat­ing”David Smith, chair­man, CITS

Tim France from the Home Office high­light­ed some of the schemes in oper­a­tion to com­bat the threat. The Joint Fraud Task­force includes law enforce­ment, banks and vic­tim organ­i­sa­tions, and has a focus on pre­ven­tion. One of its main tasks is to reduce card-not-present fraud. -We can design out this type of fraud with tech­nol­o­gy such as bion­ic data and sim­ple process changes that banks can put in place; said France, “although we under­stand this may change the way we shop online.”
Anoth­er ambi­tion is to cre­ate a scheme to rou­tine­ly trace, freeze, then repa­tri­ate funds back to the vic­tims of fraud. This will require the devel­op­ment of a tech­ni­cal solu­tion and the pro­duc­tion of a legal frame­work for banks to oper­ate in. A pilot kicks off in Jan­u­ary 2018.
Final­ly, France spoke about Take Five, a nation­al part­ner­ship between UK Finance and the gov­ern­ment advis­ing the pub­lic on how to pro­tect them­selves from finan­cial fraud and offline fraud.
Clear and present dan­ger
Chris Dio­genous of the Lon­don Dig­i­tal Secu­ri­ty Cen­tre illus­trat­ed the threat with recent exam­ples. Since 2011, the Drag­on­fly hack­ing group has been tar­get­ing organ­i­sa­tions that use indus­tri­al con­trol sys­tems (ICS) to man­age ener­gy data sys­tems. The activ­i­ty increased in 2017 and the group now appears to be inter­est­ed in learn­ing how ener­gy facil­i­ties oper­ate and gain­ing access to oper­a­tional sys­tems, which means poten­tial­ly it has the abil­i­ty to sab­o­tage or gain con­trol.
The sec­ond exam­ple was US retail­er Tar­get. In Decem­ber 2013 over 40m cred­it card details were
stolen from near­ly 2,000 Tar­get stores by access­ing data on point-of-sale sys­tems. The deliv­ery mech­a­nism for the attack was through a third-par­ty sup­pli­er who had recent­ly installed a heat­ing and ven­ti­la­tion sys­tem at a store. By gain­ing access to the supplier’s sys­tem they were able to gain access to Tar­get. The breach cost Tar­get more than $250m and cost the CEO and CIO their jobs.
“The lessons drawn from these is that cyber­se­cu­ri­ty needs to be brought up at board lev­el,” Dio­genous said. “It is not an IT issue because the impact is not just finan­cial loss and rep­u­ta­tion­al loss. If some­thing did go wrong, what would you do? Do you have the right poli­cies in place? Does your busi­ness need a ded­i­cat­ed exec­u­tive respon­si­ble? You need to under­stand where your high­value data resides and pro­tect it.”
A vari­ety of threats
There are var­i­ous meth­ods fraud­sters employ, includ­ing vish­ing, bogus boss fraud, and invoice redi­rec­tion, the lat­ter of which is extreme­ly preva­lent. If you received a let­ter from a key sup­pli­er ask­ing you to update account details you have on file, would you take this at face val­ue or take steps to ver­i­fy it?
‘Think about some of the larg­er amounts you pay to sup­pli­ers,· said NatWest fraud ana­lyst Sarah Grant. “What would you do if you had to pay that again? Because that’s what hap­pens to some busi­ness­es. Part of the rea­son these meth­ods are suc­cess­ful is that cur­rent­ly in the UK we have no pay­ee name ver­i­fi­ca­tion for bank pay­ments: it’s just the sort code and account num­ber that’s checked. Call your sup­pli­er on a num­ber you already have and ver­i­fy every­thing inde­pen­dent­ly.”
The pro­file of a fraud­ster
Account­ing firm KPMG has been devel­op­ing the pro­file of a typ­i­cal inter­nal fraud­ster since 2010. The pro­file is chang­ing and tech­nol­o­gy is the big dri­ver for this. “The char­ac­ter­is­tic every­one looks at first is that 79% are male,· said Nico­la Cobb, KPMG’s direc­tor of risk con­sult­ing. “Most oper­ate at a senior lev­el. They have the oppor­tu­ni­ty, the net­work, the under­stand­ing of busi­ness process­es. In most cas­es I look at, the fraud­ster has had almost unlim­it­ed author­i­ty.
“They have good net­works and every­one trusts them so it’s easy for them to bypass weak con­trols. If you have weak con­trols you’re more like­ly to have a prob­lem.”
Chang­ing aware­ness
The event cul­mi­nat­ed with detec­tive chief inspec­tor Gary Miles, who leads the Met­ro­pol­i­tan Police
Oper­a­tion Fal­con team, deliv­er­ing a plea for change. “Every­one is being edu­cat­ed around the threat of fraud, but what I want to do is change your behav­iour. I want you to go away and make changes. I
need to con­vince you so can con­vince your employ­ees. If you lead on this, it will make it more dif­fi­cult for these crim­i­nals to car­ry out this sort of behav­iour. We need a cul­tur­al change. These peo­ple aren’t stu­pid.”